Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp150464pxb;
        Mon, 13 Sep 2021 15:35:10 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwvDEubZA4GLTrRZesvfsM0mWbfzoy0NIYYpI0Dozyv6f8ISrKUn0t0J5k82ZT2ippAlxMq
X-Received: by 2002:a6b:f908:: with SMTP id j8mr11317035iog.22.1631572510093;
        Mon, 13 Sep 2021 15:35:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1631572510; cv=none;
        d=google.com; s=arc-20160816;
        b=OVffpYpQQievxVXAtWm15LkpgcEV7EEGWkqiWiXd3yn2qGE/grLy19NPoDWJjm5ZqG
         A8DEcmgz3rv+fy7PnCr4kClk1MIW57K6tlDqIm8EE26QlB2qBiePchS5HtBIVjH9Rs2P
         d1tacVna4zH5PUkwFipOq9/abKN2VYhvxIHHRSd2diu7bzpfLkQ4HoJLeQCLsz+rqQ2H
         x1xyIxuIqQK9PV0oOjvRZR0m5S7u6tCJBGYi1KMWSgBMJ8sm060CzHn31CGLvSsT0SbE
         AekPuYh9i7kKRZa/WTFPPx01UEijwnPVHldk769rGpyS6lFyfkGXvSBeLUkaTxsZnRwJ
         rclA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=DRdA0RVA5nCMSK9xJGEMtkpcgXw9gE1NWNjJQtxzsss=;
        b=E//c81stjxkznhg/Dgkcu8aHenC0v3jyYuCpISTZ9fGvlSiw4z7mkdaZlJzyZJp65t
         C6YOzwOWg925orwMXzh2HPU9gCqTUDsKz+zMO+IA/gkugu7epKQmRAX87Qbg/Jcrys/J
         RzbFN/pAtbXPLMJE4hUCW+I/HYdwNS7wC/4mXvQgK5OXwHF3W8SEcJ0xiZERpS7flbch
         YEtD0fDcADVmeIRR5IQMkHgXnDv9ssEPY2kFI3r9TzmK78PtGFcIxJQN4YrVGRJqKSK5
         m7pBeuis9GybWE37oDKlwDb46akBD06Aup3LrOcruLIpqnq2XIQ8vQhEKf4Es8JoFzGN
         3uOw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=QlLaGsRz;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id j6si7907957ilu.92.2021.09.13.15.34.57;
        Mon, 13 Sep 2021 15:35:10 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=QlLaGsRz;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S244944AbhIMOCu (ORCPT <rfc822;lkml.email@gmail.com> + 99 others);
        Mon, 13 Sep 2021 10:02:50 -0400
Received: from mail.kernel.org ([198.145.29.99]:48144 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1343801AbhIMN7n (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 13 Sep 2021 09:59:43 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id BE02F613AC;
        Mon, 13 Sep 2021 13:37:25 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1631540246;
        bh=0eVmFigmvePfK0NtKm7EzbzuJ3ya/9SnuQww5F3AvfQ=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=QlLaGsRzTgRqVKY+GH59tzs5nUoSk4FkqDQFB04gKRfO/XDRh8WfTk5IZZlCzbXhR
         HHhplN/WTS1dMNUzgLAcf3bLZE43TzF0PaKtNffEiWU4hWV8IM/HG5OPYcFkyr2Zbb
         uc3XTXcOY2Ea3VJiF9AP3JWQn+GkdCrldWw/kods=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Dongliang Mu <mudongliangabcd@gmail.com>,
        Dan Carpenter <dan.carpenter@oracle.com>,
        Hans Verkuil <hverkuil-cisco@xs4all.nl>,
        Mauro Carvalho Chehab <mchehab+huawei@kernel.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.13 113/300] media: rockchip/rga: fix error handling in probe
Date:   Mon, 13 Sep 2021 15:12:54 +0200
Message-Id: <20210913131113.206669149@linuxfoundation.org>
X-Mailer: git-send-email 2.33.0
In-Reply-To: <20210913131109.253835823@linuxfoundation.org>
References: <20210913131109.253835823@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Dan Carpenter <dan.carpenter@oracle.com>

[ Upstream commit e58430e1d4fd01b74475d2fbe2e25b5817b729a9 ]

There are a few bugs in this code.  1)  No checks for whether
dma_alloc_attrs() or __get_free_pages() failed.  2)  If
video_register_device() fails it doesn't clean up the dma attrs or the
free pages.  3)  The video_device_release() function frees "vfd" which
leads to a use after free on the next line.  The call to
video_unregister_device() is not required so I have just removed that.

Fixes: f7e7b48e6d79 ("[media] rockchip/rga: v4l2 m2m support")
Reported-by: Dongliang Mu <mudongliangabcd@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 drivers/media/platform/rockchip/rga/rga.c | 27 ++++++++++++++++++-----
 1 file changed, 22 insertions(+), 5 deletions(-)

diff --git a/drivers/media/platform/rockchip/rga/rga.c b/drivers/media/platform/rockchip/rga/rga.c
index bf3fd71ec3af..6759091b15e0 100644
--- a/drivers/media/platform/rockchip/rga/rga.c
+++ b/drivers/media/platform/rockchip/rga/rga.c
@@ -863,12 +863,12 @@ static int rga_probe(struct platform_device *pdev)
 	if (IS_ERR(rga->m2m_dev)) {
 		v4l2_err(&rga->v4l2_dev, "Failed to init mem2mem device\n");
 		ret = PTR_ERR(rga->m2m_dev);
-		goto unreg_video_dev;
+		goto rel_vdev;
 	}
 
 	ret = pm_runtime_resume_and_get(rga->dev);
 	if (ret < 0)
-		goto unreg_video_dev;
+		goto rel_vdev;
 
 	rga->version.major = (rga_read(rga, RGA_VERSION_INFO) >> 24) & 0xFF;
 	rga->version.minor = (rga_read(rga, RGA_VERSION_INFO) >> 20) & 0x0F;
@@ -882,11 +882,23 @@ static int rga_probe(struct platform_device *pdev)
 	rga->cmdbuf_virt = dma_alloc_attrs(rga->dev, RGA_CMDBUF_SIZE,
 					   &rga->cmdbuf_phy, GFP_KERNEL,
 					   DMA_ATTR_WRITE_COMBINE);
+	if (!rga->cmdbuf_virt) {
+		ret = -ENOMEM;
+		goto rel_vdev;
+	}
 
 	rga->src_mmu_pages =
 		(unsigned int *)__get_free_pages(GFP_KERNEL | __GFP_ZERO, 3);
+	if (!rga->src_mmu_pages) {
+		ret = -ENOMEM;
+		goto free_dma;
+	}
 	rga->dst_mmu_pages =
 		(unsigned int *)__get_free_pages(GFP_KERNEL | __GFP_ZERO, 3);
+	if (rga->dst_mmu_pages) {
+		ret = -ENOMEM;
+		goto free_src_pages;
+	}
 
 	def_frame.stride = (def_frame.width * def_frame.fmt->depth) >> 3;
 	def_frame.size = def_frame.stride * def_frame.height;
@@ -894,7 +906,7 @@ static int rga_probe(struct platform_device *pdev)
 	ret = video_register_device(vfd, VFL_TYPE_VIDEO, -1);
 	if (ret) {
 		v4l2_err(&rga->v4l2_dev, "Failed to register video device\n");
-		goto rel_vdev;
+		goto free_dst_pages;
 	}
 
 	v4l2_info(&rga->v4l2_dev, "Registered %s as /dev/%s\n",
@@ -902,10 +914,15 @@ static int rga_probe(struct platform_device *pdev)
 
 	return 0;
 
+free_dst_pages:
+	free_pages((unsigned long)rga->dst_mmu_pages, 3);
+free_src_pages:
+	free_pages((unsigned long)rga->src_mmu_pages, 3);
+free_dma:
+	dma_free_attrs(rga->dev, RGA_CMDBUF_SIZE, rga->cmdbuf_virt,
+		       rga->cmdbuf_phy, DMA_ATTR_WRITE_COMBINE);
 rel_vdev:
 	video_device_release(vfd);
-unreg_video_dev:
-	video_unregister_device(rga->vfd);
 unreg_v4l2_dev:
 	v4l2_device_unregister(&rga->v4l2_dev);
 err_put_clk:
-- 
2.30.2